Configure SSO for Dev Portal

1. In Azure, register an application for Konnect. Configure the following settings:
   • Redirect URI: https://cloud.konghq.com/login
   • Create a client secret and save the secret value.

2. Use the OIDC well-known discovery endpoint to find and save the issuer value. The issuer value will be used as the provider URL when configuring SSO in Konnect.

3. Add a group claim. Enable all the group types settings and select Group ID for each setting in the token properties type.

4. Configure an optional claim with ID as the token type and email as the claim.

1. Create a new OIDC application in Okta to manage Kong Konnect account integration. Configure the following settings:
   • Application Type: Web Application
   • Grant type: Authorization Code
   • Sign-in redirect URIs: https://cloud.konghq.com/login
   • Sign-out redirect URIs: https://cloud.konghq.com/login

   Leave this page open. You’ll need the connection details here to configure your Kong Konnect account.

2. (Optional) If you want to use group claims for Konnect developer team mappings, click the Claims tab in Okta to configure a groups claim and fill in the following fields:

   Field	Value
   Name	groups
   Include in token type	ID token, Always
   Value type	Groups
   Filter	Select Matches regex from the drop-down, then enter .* in the field.
   Include in	Choose The following scopes and select openid, email, and profile.

   This claim tells Okta to reference a subset of Okta groups. In this case, the wildcard (.*) value tells Okta to make all groups available for team mapping.

   If the authorization server is pulling in additional groups from third-party applications (for example, Google groups), the groups claim cannot find them. An Okta administrator needs to duplicate those groups and re-create them directly in Okta. They can do this by exporting the group in question in CSV format, then importing the CSV file to populate the new group.

3. Add users to the Okta application.

4. Test ID token claims and find groups for mapping. Configure the following claims settings:
   • OAuth/OIDC client: Enter the client name you previously created for your Okta application
   • Grant Type: Authorization Code
   • User: Select an Okta user that is assigned to the Konnect application to test the claim with
   • Scope: openid, email, profile

   In the generated Preview Token preview, ensure that the groups value is present. From the list of groups in the preview, identify groups that you want to use in Konnect. Take note of these groups.

Kong offers OIDC support to allow Single-Sign-on for Konnect and the Dev Portal. This guide shows you how to configure Auth0 for Dev Portal SSO.

1. Create an application in Auth0 and configure the following settings:
   • Application Type: Machine to Machine Applications
   • Authorized API: Auth0 Management API
   • Permissions: Authorize the application for at least one permission, for example: read:client_grants. This permission can be revoked later if desired, but one permission is required to create the application.
2. Configure the Auth0 application settings:
   • Application Login URI: https://cloud.konghq.com/login
   • Allowed Callback URLs: https://cloud.konghq.com/login
   • Grant Types: Authorization Code

3. Create a login action in Auth0 and enter the following in the Actions Code Editor:

    exports.onExecutePostLogin = async (event, api) => {
    if (event.authorization) {
        // This transforms the ISO 8601 Timestamp string into the seconds integer representation that is expected for the OIDC standard,
        // allowing the Konnect SSO validation to accept the format of the `updated_at` property when parsing the token claim.
        api.idToken.setCustomClaim('updated_at', Math.floor(new Date(event.user.updated_at).getTime()/1000))
    }
    };
   

   Important: This section is required because the Auth0 API implementation isn’t inline with the OIDC standard for the updated_at token claim value.

4. Deploy the action by dragging it from the Start to Complete step in the Login Flow.